{"id":6639,"date":"2026-05-04T21:47:31","date_gmt":"2026-05-04T21:47:31","guid":{"rendered":"https:\/\/delimiter.online\/blog\/phishing-campaign-targets-80-plus-firms-with-rmm-tools\/"},"modified":"2026-05-04T21:47:31","modified_gmt":"2026-05-04T21:47:31","slug":"phishing-campaign-targets-80-plus-firms-with-rmm-tools","status":"publish","type":"post","link":"https:\/\/delimiter.online\/blog\/phishing-campaign-targets-80-plus-firms-with-rmm-tools\/","title":{"rendered":"Phishing Campaign Targets 80 Plus Firms With RMM Tools"},"content":{"rendered":"<p>A persistent <a href=\"https:\/\/delimiter.online\/blog\/cve-2026-31431\/\" title=\"Phishing\">Phishing<\/a> <a href=\"https:\/\/delimiter.online\/blog\/supergirl-post-credits-scene\/\" title=\"Campaign\">Campaign<\/a> that began in at least April 2025 has compromised more than 80 organizations, primarily in the United States, by leveraging legitimate Remote Monitoring and Management (RMM) software. Researchers have identified the campaign under the codename VENOMOUS#HELPER, and it shows overlapping characteristics with other known threat activity clusters.<\/p>\n<p>Securonix, the cybersecurity firm tracking the operation, reported that the attackers used phishing emails to deploy trusted RMM <a href=\"https:\/\/delimiter.online\/blog\/doordash-ai-tools\/\" title=\"Tools\">Tools<\/a>, specifically SimpleHelp and ConnectWise ScreenConnect, on target systems. These tools, which are broadly used by IT teams for legitimate support and monitoring, functioned as a means for the attackers to establish persistent remote access to compromised hosts. The use of such widely trusted software helps the malicious activity blend in with normal network traffic and administrative behavior.<\/p>\n<p>The campaign&#8217;s initial infection vector involves deceptive emails designed to trick recipients into initiating the installation. Once the RMM software is installed, the attackers can maintain long term control over the affected systems, allowing for data exfiltration, lateral movement within networks, and potential deployment of additional payloads. The compromised organizations span multiple sectors, indicating a broad targeting strategy rather than a focus on a single industry.<\/p>\n<h2>Overlaps With Known Threat Infrastructure<\/h2>\n<p>Analysts from Securonix noted that VENOMOUS#HELPER shares multiple infrastructure and tactical overlaps with previously documented campaigns. These commonalities include similar email templates, command and control server configurations, and the specific RMM tools utilized. This pattern suggests that the same threat actor or a closely related group may be behind this operation, potentially refining their methods from earlier intrusions.<\/p>\n<p>The specific use of SimpleHelp and ScreenConnect is notable, as these tools are commonly deployed in business environments. This choice makes it more difficult for standard security detection systems to flag the remote sessions as malicious without deeper behavioral analysis. The attackers have also taken steps to remain undetected by using encrypted communications and frequently rotating the IP addresses used for command and control.<\/p>\n<h4>Security Implications for Regional Organizations<\/h4>\n<p>For organizations worldwide, this campaign underscores the risk posed by the abuse of legitimate administrative tools. The fact that over 80 entities have been affected in a relatively short period highlights the effectiveness of the approach. Companies are advised to review their remote access policies and implement strict controls over which applications are allowed to run RMM software.<\/p>\n<p>User awareness training is also a critical component, as the campaign relies on successful phishing attempts to gain initial access. Verifying the authenticity of any unsolicited communication that prompts software installation can prevent the initial compromise. Network monitoring teams should look for unusual outbound connections from machines running RMM software, especially if those sessions originate outside of known administrative schedules.<\/p>\n<h2>Likely Next Steps and Ongoing Investigation<\/h2>\n<p>Given the ongoing nature of the campaign, security researchers expect the threat actors to continue refining their techniques. Affected organizations have been advised to audit their systems for signs of SimpleHelp or ScreenConnect installations that were initiated without proper authorization.<\/p>\n<p>Securonix has indicated that they are continuing to analyze the collected data to identify further infrastructure tied to the attackers. There is no official timeline for when the campaign may conclude, but law enforcement agencies are likely to be involved given the scale of the compromise. Organizations that suspect they have been targeted should engage incident response teams immediately and consider blocking the known indicators of compromise associated with the VENOMOUS#HELPER cluster.<\/p>\n<p>Source: Delimiter Online<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A persistent Phishing Campaign that began in at least April 2025 has compromised more than 80 organizations, primarily in the United States, by leveraging legitimate Remote Monitoring and Management (RMM) software. Researchers have identified the campaign under the codename VENOMOUS#HELPER, and it shows overlapping characteristics with other known threat activity clusters. Securonix, the cybersecurity firm [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":6640,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[505],"tags":[],"class_list":["post-6639","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/comments?post=6639"}],"version-history":[{"count":0,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/posts\/6639\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media\/6640"}],"wp:attachment":[{"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/media?parent=6639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/categories?post=6639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/delimiter.online\/blog\/wp-json\/wp\/v2\/tags?post=6639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}